I saw FX speak on Cisco IOS forensics at Black Hat DC 2008. I just got a chance to read his excellent post On IOS Rootkits. I was impressed to read FX's pointer to his company's Cisco Incident Response - CIR Online Service, with a specific report run on Sebastian 'topo' Muniz's IOS rootkit. Also, consider this from FX's post:
Now that some people actually talk about IOS rootkits, interesting tidbits show up. One person asked me if we have tested CIR with the Russian IOS rootkit that was for sale a few years ago. No, we didn't, but good to know that these exist.
Russian IOS rootkit... interesting. How much proof do we need to Monitor our routers?